Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Can't mass-assign protected attributes #260

Closed
atd opened this Issue · 9 comments

3 participants

@atd
Owner
atd commented

Social Stream is not compatible with default mass attributes protection shipped with Rails 3.2.3
http://weblog.rubyonrails.org/2012/3/30/ann-rails-3-2-3-has-been-released/

Developers of Rails > 3.2.3 applications must setconfig.active_record.whitelist_attributes = false in config/application.rb

This needs to be fixed in the mid-term. However, there was some discussion whatever these restrictions should be declared in the controller. So we will probably wait until see the final solution included in Rails 4

@williscool

So I'm leaning towards using social_stream for an application I'm building but I'm worried about the security implications of this issue.

Is a fix as simple as me going through the code base and adding attr_accessible lines with a script some how or is it a lot more complicated than that.

I guess my question is 2 fold.

1) how big a security issue is it? Could people potentially post as other people or stuff like that?
2) how much work do you think it is and how specific? Would it take a lot of specific knowledge or is it just tedious?

I'll volunteer if its easy and its just been put off because its tedious :)

@atd
Owner

Hi @williscool, thank you for your offering

I guess the way to go in Rails 4 is protecting then in the controller, using the functionality of this plugin: https://github.com/rails/strong_parameters

I would be awesome to have this fix in Social Stream. I think it is potencially very harmful, up to the point you mention or beyond. The work is just tedious, watching for the parameters that are send in each request and adding them to the controller.

@williscool

So I just got my social_steam app working. I got stuck for while because I ran into this.

rails/rails#5872

Rails issue but I got it resolved with the monkey patch there.

I'm gonna focus on updating the gem dependenices to work with my app and then I'll circle back around for this

Also leaving this for reference. I like aspects of ryan's solution

http://railscasts.com/episodes/371-strong-parameters

@atd
Owner

@williscool any advance on this?

@williscool

Not yet. Been swamped recently and hadn't had time to come back to this yet.

@atd
Owner

Ok, no problem. @rafaelgg and @raquelgb are taking on it, since it is a serious issue that needs to be solved

@williscool

Ok good news. Let me know about progress. I'm most interested in this and the twitter bootstrap update

@rafaelgg rafaelgg was assigned
@atd
Owner
atd commented
@atd atd closed this
@williscool

Nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.